1 reply to this topic

[khilari]

My PC was running only slightly slower ... so i checked out the task manager which had firefox, cmd and wmplayer hogging the cpu. I immediately checked my netstat to see if anyone is connecting since cmd.exe was one of the culprits; there were no established connections. I then checked the process explorer from sysinternals (now m$) and went into the properties of "cmd.exe" ... there i found out that it was running a bat file ... so i opened that bat file in notepad. Here are the contents of that file,

:try
del "C:\DOCUME~1\Media\LOCALS~1\Temp\svchost.exe"
if exist "C:\DOCUME~1\Media\LOCALS~1\Temp\svchost.exe" goto try
del "C:\DOCUME~1\Media\LOCALS~1\Temp\$$c398.tmp.bat"

i tried zipping the svchost.exe file, but it gives me access denied errors. I will try again in safe mode; will update this post then with the attachment

Edit: Before booting to safe mode, i checked all processes under my username and found out that "svhost32.exe" was running... i found out the path through process explorer and tried to copy it ... it gave me access denied errors. So i booted the os in safe mode and copied it ;; it is attached now. That one file that i was gonna get from the temp folder (i.e. svchost.exe) is no longer there. I believe that svchost.exe in temp folder was used to create svhost32.exe which was then placed in C:\Program Files\Microsoft. It looks like a "world of warcraft" password stealer, but i want to know how it got into my pc in the first place. How can i find out what this process was trying to do to my computer?

Attached Files

•  svhost32.rar   68.49K   17 downloads

[MaRtO]

You can try to sandbox it. This will give detailed information about what the file does.
http://analysis.seclab.tuwien.ac.at/